The UK's drive toward autonomous vehicles ("AVs") brings fresh legal challenges in data and competition regulation.

Introduction

The UK aims to position itself as a leader in AVs supported by new legislation such as the Automated Vehicles Act 2024 and investment programmes like DRIVE35, both designed to accelerate deployment. As the sector grows, businesses will need to navigate a complex legal landscape. Competition law, data access, privacy and safety rules will all play a role in shaping how AVs are operated. Understanding these rules is essential for successful deployment and risk management.

Access to Data

AVs generate and rely on vast amounts of data, including vehicle sensor data, high-definition maps and data used to train artificial intelligence systems. Control over and access to these datasets is a key consideration for the industry.

The EU Data Act (the "Data Act") introduces new rules on access to data generated by connected devices, with specific guidance for vehicle data. These are designed to ensure that users and, in some cases, third parties can access and use data, subject to safeguards for trade secrets and security. UK businesses with operations in the EU, or those partnering with EU-based firms, should be aware of these requirements.

Competition authorities pay attention to data access policies, especially where limiting access might make it harder for new entrants or rivals to innovate and compete effectively. Authorities may therefore consider whether companies with a significant market position should be required to share data with competitors (like the requirements imposed on Google Search to share query data with competitors such as DuckDuckGo).

However, not all restrictions are problematic. The key is whether limits on data sharing are objectively justified (for example, to protect privacy or intellectual property) and proportionate to the risks involved.

Where possible, data governance policies should allow for interoperability and access, while protecting sensitive information.

Privacy and Security

The Data Act operates alongside the GDPR to protect personal data (i.e., any information allowing one to identify an individual). AVs process large volumes of this, including location and, sometimes, even biometric information, bringing data protection and cybersecurity to the forefront.

The GDPR requires organisations to have a lawful basis for processing personal data, to be transparent with users and to keep data secure. Data Protection Impact Assessments ("DPIAs") are mandatory for high-risk processing, such as large-scale monitoring or use of innovative technologies like AVs. DPIAs help identify and mitigate privacy risks before launching new products or services.

Firms should collect only the personal data needed for the stated purpose and regularly review whether this can be reduced further. Cross-border data transfers (for example, to cloud providers outside the UK or EU) must comply with international transfer rules.

Also, given the amount of personal data involved within the AV ecosystem, there are connected cybersecurity risks. AV systems must be designed with security in mind, protecting against unauthorised access, hacking and data breaches. Regular testing, staff training and clear incident response plans are essential.

Mergers and Joint Ventures

Collaboration is common in the AV sector, with manufacturers, technology companies and service providers frequently partnering. For example, we have already recently seen deals between Wayve, a UK-based start-up, and Uber, as well as Waymo (a Google subsidiary) and Jaguar Land Rover – with trials set to begin on UK roads this year.

In fast moving sectors, joint ventures ("JVs") can be more flexible than full mergers, allowing firms to combine expertise and share costs. Research and Development ("R&D") collaborations are particularly important in the AV industry, where pooling resources and knowledge can help overcome technical challenges and bring new solutions to market quicker.

When forming a JV or entering an R&D partnership, firms must be careful about how they share information, especially if they are competitors in other markets. Information exchange should be limited to what is necessary for the project’s purpose, with safeguards in place to prevent anti-competitive behaviour. The European Commission's (the "Commission") Horizontal Guidelines distinguish between pro and anti-competitive R&D alliances. Each assessment is case-specific, weighing whether the R&D cooperation enhances innovation and consumer welfare without unduly restricting competition.

Authorities will assess whether a deal could substantially lessen competition in any part of the AV value chain, such as mapping or ride-hailing platforms. Multi-jurisdictional deals may require notifications in several countries. Early assessment and planning can help avoid delays.

Vertical Arrangements and Exclusivity

AV supply chains are highly intricate, spanning multiple layers, from vehicle manufacturers to software providers and fleet operators. Like in many other emerging technology sectors, exclusivity agreements are often used to manage these relationships. Exclusivity can help ensure security and provide incentives for investment, but such arrangements must be carefully structured to comply with competition law.

The EU and UK have block exemption regulations (respectively, the VBER and VABEO) that provide a safe harbour for many vertical agreements, including exclusivity provisions, provided certain conditions are met. For example, an AV manufacturer might agree with a leading LiDAR sensor supplier to source components exclusively for a limited period. Under the VBER and VABEO, such exclusivity is generally permitted if neither party exceeds a 30% market share and the agreement avoids “hardcore” restrictions. This allows both parties to invest and innovate confidently, while managing the risk of unfair foreclosure of others.

Best practice is to ensure that any exclusivity or other vertical restrictions are objectively justified, for example based on quality, safety or security, and proportionate to the aim pursued. Firms should document their reasoning and review arrangements regularly to ensure ongoing compliance.

Conclusion

As the UK's AV industry accelerates, businesses who understand and manage legal risks, especially around data, privacy and competition, will be better equipped to navigate the evolving regulatory landscape. Engaging with legal teams early and building strong compliance frameworks will enable AV businesses to innovate safely and with confidence.